ISMS Copilot for CMMC and NIST 800-171
Draft your SSP, POA&M, and 110 NIST 800-171 controls — for the documentation, not for the CUI.
Read this first: ISMS Copilot is not FedRAMP authorized — keep CUI out of chats
ISMS Copilot is not FedRAMP authorized and is not on DoD's CC SRG / DISA approved provider list. CUI (Controlled Unclassified Information), CDI (Covered Defense Information), and any data subject to DFARS 252.204-7012 must not be entered into ISMS Copilot. What ISMS Copilot does well: drafting your System Security Plan (SSP), Plan of Action and Milestones (POA&M), and the policies for all 110 NIST 800-171 r3 controls. What it cannot do: be the system that stores or processes the CUI itself. That has to be a FedRAMP Moderate (or higher) environment.
NIST 800-171 + CMMC framework details →What ISMS Copilot does for DoD contractors and subs
- Draft a complete SSP covering all 110 NIST 800-171 r3 controls (or 17 r3 controls for CMMC L1)
- Generate a POA&M template and walk through prioritization of unmet controls
- Map your environment against each NIST 800-171 family (Access Control, Audit, Configuration Management, Incident Response, etc.)
- Prepare for CMMC Level 1 self-assessment or Level 2 third-party assessment (C3PAO)
- Cross-walk NIST 800-171 to NIST 800-53 Moderate baseline for primes that ask for both
- Train staff on CUI handling, FCI vs CUI distinction, and incident reporting requirements
Built for the DIB compliance lead
Full NIST 800-171 r3 control library (110 controls, 14 families)
CMMC Level 1 (17 practices) and Level 2 (110 practices) coverage
DFARS 252.204-7012 incident reporting workflow (72-hour clock to DC3)
FCI vs CUI handling guidance
CMMC C3PAO assessment preparation checklists
NIST 800-53 Moderate cross-mapping for primes requiring NIST RMF
Integration with NIST 800-171A assessment objectives
Questions fréquemment posées
Can I store CUI in ISMS Copilot?
No. ISMS Copilot is not FedRAMP authorized and is not on the DoD CC SRG approved list. Storing or processing CUI in ISMS Copilot would be a DFARS 252.204-7012 violation. Use a FedRAMP Moderate or higher environment for the actual CUI; use ISMS Copilot for the documentation that surrounds it.
Will ISMS Copilot get FedRAMP authorized?
Not on the current roadmap. FedRAMP authorization requires a US-government-only environment, JAB or agency sponsorship, and a multi-year process. ISMS Copilot's value proposition is documentation acceleration, not being the CUI system itself.
Is ISMS Copilot useful for CMMC Level 1?
Yes — and L1 is the easier case because the 17 L1 practices map directly to FAR 52.204-21 basic safeguarding, and self-assessment is allowed. ISMS Copilot drafts the L1 policies, the FCI handling SOP, and the annual self-attestation workflow.
How does this differ from NIST 800-53?
NIST 800-171 is for non-federal systems handling CUI (i.e. you, the contractor). NIST 800-53 is for federal systems (i.e. the agency). 800-171 is essentially a tailored subset of 800-53 Moderate. ISMS Copilot covers both, and our /frameworks/nist-800-53 page is the right starting point if your prime requires the full 800-53 baseline.
What about ITAR / export-controlled data?
ITAR-controlled technical data has the same rule as CUI plus stricter restrictions: must stay on US-person, US-soil systems with strict access control. ISMS Copilot runs entirely on EU infrastructure (Fly.io regions in the EU, Mistral on Sweden, AWS Frankfurt and Amsterdam), which is not an ITAR-cleared environment. Same pattern as CUI: use ISMS Copilot for the documentation, not for the data.
Prêt à optimiser votre travail de conformité ?
Conçu pour la rapidité, la précision et des livrables prêts pour l'audit.